For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
Where I landed was a bit of a Jupyter notebook concept for a conversation where a user/API can request that certain prompts (cells) be trusted (elevated permissions for tools and file system access) while you do the bulk of the analysis work in the untrusted prompts.
(if anyone is interested in the germ of the idea: https://zero2data.substack.com/p/trusted-prompts)
I don't want a trojan horse in my own browser.
